ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

eToro API

v1.0.0

Enables agents to interact with the eToro API to access market data, portfolio and social features, and execute trades programmatically.

0· 430·1 current·1 all-time
byMariano Pardo@marian2js
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (interact with eToro, including executing trades) matches the SKILL.md content. However, the registry metadata declares no required credentials or primary credential, while the runtime instructions clearly require a Public API Key and a User Key (with Real vs Demo environments). This mismatch is unexpected for a trading integration and reduces transparency about what sensitive inputs the skill will request.
Instruction Scope
The SKILL.md stays within the scope of an eToro API client (detailed endpoints, headers, casing rules, demo vs real endpoints, and example requests). It explicitly documents how to perform live trading and demo trading. It does not instruct the agent to read unrelated files or system state. The notable point: it tells the agent to 'request keys from the user on install' (i.e., prompt for secrets) even though those secrets aren't declared in the registry metadata.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — nothing is written to disk by an installer, which is lower risk from an install perspective.
!
Credentials
The runtime instructions require sensitive credentials (Public API Key and User Key) and environment selection (Real vs Virtual) to operate — reasonable for the stated purpose — but the skill metadata lists no required env vars or primary credential. That lack of declared secrets is disproportionate to the documented runtime needs and may hide what the agent will ask the user to provide.
Persistence & Privilege
The skill is not marked always:true and defaults allow model invocation (normal behavior). There is no indication the skill will modify other skills or request persistent system-wide privileges.
What to consider before installing
This skill's documentation shows it will ask you for an eToro Public API Key and a User Key and can execute real trades — but the registry metadata didn't declare any required credentials. Before installing: (1) confirm the skill's origin (source is listed as unknown despite an eToro homepage link); (2) demand that the publisher declare required credentials in the metadata; (3) for testing only give a demo/virtual User Key with limited permissions (prefer Read-only or demo keys); (4) do not provide real trading keys unless you fully trust the skill and its publisher and you are prepared for the agent to place orders; (5) prefer explicit prompts/consent before any real-trade API call and check logs/confirmations. If the publisher cannot justify why credentials are omitted from metadata, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk976sbrafv3vzc1a4vmkk7ypth81st38

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis

Comments